The vulnerability lies in the fact that the EduKart Pro plugin for WordPress allows users to specify any role during the front‑end registration process. An unauthenticated attacker can submit the role "administrator" in a registration request and, because the 'edukart_pro_register_user_front_end' function does not check for administrative privileges, the site will create an account with full administrative rights. This gives the attacker full control of the WordPress installation, including the ability to modify content, install additional plugins, or compromise the site's data integrity and confidentiality. The weakness is a classic example of insufficient privilege management (CWE‑269).

All installations of the EduKart Pro WordPress theme or plugin from the vendor VenusWeb that are running version 1.0.3 or earlier are affected. The vulnerability is not limited to a specific operating system or hosting environment; any WordPress site that has this plugin enabled and allows user registration is at risk.

The CVSS score of 9.8 indicates a critical severity. The EPSS score of less than 1% shows that at the time of this assessment the probability of exploitation is currently low, and the vulnerability is not yet listed in the CISA KEV catalog. However, because the exploit requires no authentication and involves only a simple form submission, a motivated attacker can easily craft a request to register with the administrator role. If the site relies on recruitment for new users, an attacker could enumerate valid endpoints, submit the payload, and gain administrative access, thereby bypassing all other access controls.